From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH ghak32 V2 01/13] audit: add container id Date: Wed, 18 Apr 2018 20:46:45 -0400 Message-ID: References: <32d3e7a6-36f0-571a-bb91-67f746c7eafa@schaufler-ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, LKML , Eric Paris , dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux-Audit Mailing List , ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org To: Casey Schaufler Return-path: In-Reply-To: <32d3e7a6-36f0-571a-bb91-67f746c7eafa-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: netdev.vger.kernel.org On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler wrote: > On 4/18/2018 4:47 PM, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >>> Implement the proc fs write to set the audit container ID of a process, >>> emitting an AUDIT_CONTAINER record to document the event. >>> ... >>> >>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>> index d258826..1b82191 100644 >>> --- a/include/linux/sched.h >>> +++ b/include/linux/sched.h >>> @@ -796,6 +796,7 @@ struct task_struct { >>> #ifdef CONFIG_AUDITSYSCALL >>> kuid_t loginuid; >>> unsigned int sessionid; >>> + u64 containerid; >> This one line addition to the task_struct scares me the most of >> anything in this patchset. Why? It's a field named "containerid" in >> a perhaps one of the most widely used core kernel structures; the >> possibilities for abuse are endless, and it's foolish to think we >> would ever be able to adequately police this. > > If we can get the LSM infrastructure managed task blobs from > module stacking in ahead of this we could create a trivial security > module to manage this. It's not as if there aren't all sorts of > interactions between security modules and the audit system already. While yes, there are plenty of interactions between the two, it is possible to use audit without the LSMs and I would like to preserve that. Further, I don't want to entangle two very complicated code changes or make the audit container ID effort dependent on LSM stacking. You're a good salesman Casey, but you're not that good ;) -- paul moore www.paul-moore.com